Welcome to weblogs.com.pk Sign in | Join | Help

Masood Ahmad Shah

This blog contains a summary of my research readings and thoughts in system and network engineering. View Masood Shah's profile on LinkedIn

Syndication

News


JUNOS Aggregated Ethernet Interfaces

Aggregated ethernet interface increases bandwidth, provides graceful degradation as failure occurs, and of course increases availability.

To configure an aggregated ethernet interface on Juniper's boxes, you can use the link aggregation feature to aggregate one or more links to form a virtual link.The client will treat this virtual link as if it were a single link.

To configure aggregated ethernet interfaces, using the JUNOS CLI:

1.Specify the number of aggregated ethernet interfaces to be created:

[edit chassis]
jahil@Voyager#set aggregated-devices device-count 2

2.Specify the minimum number of links for the aggregated Ethernet interface (aex):, that is, the defined bundle, to be labeled “up”: 

[edit interfaces]
jahil@Voyager#set ae0 aggregated-ether-options minimum-links 2

3.Specify the link speed for the aggregated ethernet bundle:

[edit interfaces]
jahil@Voyager#set ae0 aggregated-ether-options link-speed 1g

4.Specify the members to be included within the aggregated ethernet bundle:

[edit interfaces]
jahil@Voyager#set ge-0/1/0 ether-options 802.ad ae0
jahil@Voyager#set ge-1/1/0 ether-options 802.ad ae0

5.Specify an interface family for the aggregated ethernet bundle:

[edit interfaces]
jahil@Voyager#set ae0 unit 0 family inet address 1.1.1.1/24


Note: An interface with an already configured IP address cannot form part of the aggregation group.

Posted Thursday, July 30, 2009 2:01 PM by jahil | 0 Comments

Filed under: ,

Netflow on Juniper Router

On Juniper Router's if you want to sample all traffic, you don't really need a firewall filter, you can use the following simple form:

    ge-0/0/0 {
        unit 0 {
            family inet {
                sampling {
                    input;
                }
            }
        }
    }

Packet sampling can also be done by defining a firewall filter to accept and sample specific traffic, applying that rule to the interface and then configuring the sampling forwarding option. just like...

forwarding-options {
     sampling {
         input {
             family inet {
                 rate 100; /* packet sampling rate */
             }
         }
         output {
             cflowd <flow collector IP address> {
                 port 9991; /* port number */
                 source-address <source IP>;
                 version 5;  /* netflow version number */
             }
             flow-active-timeout 60; /*the tool you're using may want something different */
             }
         }
}


These settings are per-interface:

interfaces {
   <interface> {
    family inet {
   sampling {
    input;
   }
   ...
    }
    ...
      }
     ...
  }

Note: If you want to use Jflow on M Series routers you will have to buy specialised hardware (AS/MS PIC or you can buy an M7i with embedded AS PIC).

One can use Jflow on the RE, but I personally don't reccomend it as you could flood out routing updates etc. Hardware wise you'd probably be best off with one of the new MultiService PICs (PE-MS-100-1 would fit). More info about the MS PICs can be found here: http://www.juniper.net/us/en/local/pdf/datasheets/1000199-en.pdf

With regards to licencing you will need a licence (S-ACCT) for use with AS or MS PICs.

 

Posted Wednesday, July 15, 2009 3:42 PM by jahil | 0 Comments

Filed under:

Randy Bush on IPv6 Deployment

Great interview with Randy Bush. Very interesting thoughts about costs experienced when hitting the IPv4 wall

Normal 0 false false false EN-US X-NONE X-NONE MicrosoftInternetExplorer4

Randy Bush on IPv6 Deployment

Randy Bush, of Internet Initiative Japan Inc. (IIJ) in Japan, discusses IPv6 deployment. It includes practical information on the challenges, costs and planning of rolling out IPv6.  

Posted Saturday, June 13, 2009 3:31 PM by jahil | 0 Comments

Filed under: , , ,

What Cisco code version to run?

Which Cisco IOS software version should I be using? Well no can answer this straight away. But Cisco offers the most software tools for its IOS routers so many of these tools are only for them. Here are some of the best tools and research sites for finding the code version you need on your Cisco security products.

  • IOS software Advisor Tool - An excellent tool for getting automated advice on the best IOS code to use. I highly recommend the Research Software tab within this tool.
  • Cisco IOS Reference Guide – This indispensable guide explains all aspects of how IOS is packaged, what feature sets mean, how to make sense of the IOS numbering scheme, how to interpret what each character in an IOS image name means, and more.
  • Cisco Bug Toolkit - Your tool for doing code bug scrubs for all Cisco security products. I highly recommend you check the advanced options button. This gives you many more options to use in your research.
  • Feature Navigator - Allows you to find what IOS code exactly matches the features you require. Allows you to compare two images side by side.
  • Product Alert Tool - sign up to receive PSIRT security alerts for IOS and other Cisco products.
  • Intellishield PSIRT search tool - Use this tool to find security alerts on Cisco’s security products. Use the keyword field to input the product name you are looking for.
  • Cisco Field Notices - Field Notices are notifications that are published for significant issues, other than security vulnerability related issues, and typically require an upgrade, work-around, or other customer action. Be sure to check these notices as part of our research.
  • Product Release Notes – The best way to find these is to use the CCO search tool. A good search pattern to use is “release notes
    ”. For example, “release notes asa 8.0.4”. Be sure to pay careful attention to the open caveats section of the release note.
  • Cisco Discussion Forums - These forums are a good place to ask questions to your peers and to Cisco.

Posted Wednesday, May 13, 2009 1:00 PM by jahil | 2 Comments

Configuring the Juniper Media, IP & MPLS MTU

Here I have some information on MTU Juniper, I had investigated it for a customer while ago. The actual frames transmitted also contain cyclic redundancy check (CRC) bits, which are not part of the media MTU. For example, the media MTU for a Gigabit Ethernet interface is specified as 1500 bytes, but the largest possible frame size is actually 1504 bytes; you need to consider the extra bits in calculations of MTUs for interoperability.

 

                                                     Encapsulation Overhead by Encapsulation Type

 
Interface Encapsulation
Encapsulation Overhead (Bytes)

802.1Q/Ethernet 802.3

21

802.1Q/Ethernet Subnetwork Access Protocol (SNAP)

26

802.1Q/Ethernet version 2

18

ATM Cell Relay

4

ATM permanent virtual connection (PVC)

12

Cisco HDLC

4

Ethernet 802.3

17

Ethernet circuit cross-connect (CCC) and virtual private LAN service (VPLS)

4

Ethernet over ATM

32

Ethernet SNAP

22

Ethernet translational cross-connect (TCC)

18

Ethernet version 2

14

Extended virtual local area network (VLAN) CCC and VPLS

4

Extended VLAN TCC

22

Frame Relay

4

PPP

4

VLAN CCC

4

VLAN VPLS

4

VLAN TCC

22


Default media MTU = Default IP MTU + L2 encapsulation overhead
Default IP MTU = Default media MTU -  L2 encapsulation overhead
MPLS MTU = physical interface MTU - L2 encapsulation overhead - 12
If IP MTU is already set, so MPLS MTU = IP MTU + 20 bytes
IP MTU - payload without header!
 
Note: In other words, the formula used to determine the MPLS MTU is the following:
MPLS MTU = physical interface MTU - encapsulation overhead - 12

Posted Tuesday, May 05, 2009 1:08 PM by jahil | 2 Comments

Filed under: , ,

JUNOS annotate
Adding comments to configuration is always tricky with network devices. Annotate is just one of many cool features in JUNOS. The JUNOS CLI lets you leave comments about the configuration as a part of its listing. The comments can be quite handy when you or other team members are trying to troubleshoot a problem or need to make configuration changes. Use annotate followed by your note when you want to include comments:

[edit]
jahil@R1# annotate system this device is for training JAHIL JUNOS users

When you add comments in configuration mode, they are associated with a statement at the current level. Each statement can have one single-line comment associated with it. To delete a comment, use the annotate command with an empty string:

[edit]
jahil@R1# annotate system ""

Posted Thursday, April 02, 2009 5:16 PM by jahil | 0 Comments

Filed under: ,

Scripting for Switches/Routers

The advantage of having a scripting language on your router seems to come in pretty handy sometimes (though I bet most people don’t really use the Tcl interpreter on their Cisco’s). I have been using TCL scripts for ages. The new EEM is just heavenly, you can trigger on almost everything. Even add your own syslog messages or create menus for low-level NOC engineers.

Event tracking and management has traditionally been performed by devices external to the networking device. Cisco Embedded Event Manager (EEM) has been designed to offer event management capability directly in Cisco IOS devices. The on-device, proactive event management capabilities of EEM are useful because not all event management can be done off router because some problems compromise communication between the router and the external network management device. Capturing the state of the router during such situations can be invaluable in taking immediate recovery actions and gathering information to perform root-cause analysis. Network availability is also improved if automatic recovery actions are performed without the need to fully reboot the routing device.

I like what I see. I would love it if this tool could be integrated with PERL (TCL is a good move though) for Cisco IOS so that I could have everything in one place (It might requires dual CPU or HT on Cisco routers for better performance! lols)

I just can't wait to have the same feature in Juniper's JUNOS.

Posted Monday, March 23, 2009 5:57 PM by jahil | 0 Comments

Filed under: , , ,

I just got engaged!
So I just got engaged on Friday.. very exciting. We are planning on having Winter 09/10 wedding, so it will be a 7|8 months engagement.

Posted Saturday, March 21, 2009 8:12 PM by jahil | 9 Comments

MPLS-in-GRE & MPLS-in-IP
JUNOS now support MPLS-in-GRE & MPLS-in-IP. You guys can now encapsulate the MPLS label stack for a packet with an IP header, making it possible to tunnel MPLS over networks that do not have MPLS enabled on their core routers.

The JUNOS software supports both types of IP-based encapsulations: MPLS-in-IP and MPLS-in-GRE. JUNOS can both push the IP-based encapsulation on MPLS packets at the ingress of an IP tunnel and pop the IP-based encapsulation at the egress.

For JUNOS Release 9.4, support was added for the M120 and M320 routers. To tunnel MPLS-labeled packets over a non-MPLS-enabled IP network, configure the family mpls statement at the [edit interfaces interface-name unit unit-number] hierarchy level.

Posted Saturday, March 07, 2009 2:22 PM by jahil | 2 Comments

Filed under: , ,

Trusted Prefixes (JUNOS vs IOS)

Juniper's JUNOS:

filter trusted-prefixes {
   term controlled-access {
     from {
        address {
                     192.168.1.0/24;
                     128.29.31.0/24;
                     207.46.150.0/24;
                     206.132.25.0/24;
                     208.48.26.0/24;
                     207.159.55.0/24;
                    167.216.192.0/24;
                    }
      protocol tcp;
      port [ ftp ftp-data telnet ssh ];
      }
  then accept;
  }
term access-denied {
    then {
           log;
          reject;
          }
     }
}

Cisco's IOS:

access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq ftp
access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq ftp-data
access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq telnet
access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq ssh
access-list 101 permit tcp 128.29.31.0 0 0.0.0.255 any eq ftp
access-list 101 permit tcp 128.29.31.0 0.0.0.255 any eq ftp-data
access-list 101 permit tcp 128.29.31.0 0.0.0.255 any eq telnet
access-list 101 permit tcp 128.29.31.0 0.0.0.255 any eq ssh
access-list 101 permit tcp 207.46.150.0 0.0.0.255 any eq ftp
access-list 101 permit tcp 207.46.150.0 0.0.0.255 any eq ftp-data
access-list 101 permit tcp 207.46.150.0 0.0.0.255 any eq telnet
access-list 101 permit tcp 207.46.150.0 0.0.0.255 any eq ssh
access-list 101 permit tcp 206.132.25.0 0.0.0.255 any eq ftp
access-list 101 permit tcp 206.132.25.0 0.0.0.255 any eq ftp-data
access-list 101 permit tcp 206.132.25.0 0.0.0.255 any eq telnet
access-list 101 permit tcp 206.132.25.0 0.0.0.255 any eq ssh
access-list 101 permit tcp 208.48.26.0 0.0.0.255 any eq ftp
access-list 101 permit tcp 208.48.26.0 0.0.0.255 any eq ftp-data
access-list 101 permit tcp 208.48.26.0 0.0.0.255 any eq telnet
access-list 101 permit tcp 208.48.26.0 0.0.0.255 any eq ssh
access-list 101 permit tcp 207.159.55.0 0.0.0.255 any eq ftp
access-list 101 permit tcp 207.159.55.0 0.0.0.255 any eq ftp-data
access-list 101 permit tcp 207.159.55.0 0.0.0.255 any eq telnet
access-list 101 permit tcp 207.159.55.0 0.0.0.255 any eq ssh
access-list 101 permit tcp 167.216.192.0 0.0.0.255 any eq ftp
access-list 101 permit tcp 167.216.192.0 0.0.0.255 any eq ftp-data
access-list 101 permit tcp 167.216.192.0 0.0.0.255 any eq telnet
access-list 101 permit tcp 167.216.192.0 0.0.0.255 any eq ssh
access-list 101 deny any log

IOS release 12.4(20)T provides  ACL object groups, you can define a group of host addresses and use them as an object in ACL.

Posted Monday, February 09, 2009 5:23 AM by jahil | 0 Comments

Filed under: , ,

Exploiting Network Protocols to Exhaust Bandwidth Links

In Feb 2008 I spoke at a conference about "Exploiting Network Protocols to Exhaust Bandwidth Links" in Lahore.

"Chase 2008-Conference On Hacking And Security"

Venue

Institute of Engineers Pakistan
IEP Building
2nd Floor, Engineering Centre
97-B/D-1, Liberty Round About
Liberty Market
Gulberg II, Lahore.

http://www.chase.org.pk/en/archives/chase-2007/downloads/masood-protocolattacks.pdf

 

Posted Friday, February 06, 2009 11:45 PM by jahil | 0 Comments

Filed under: , ,

JUNOS VPLS on FE Interfaces

TThere are numerous misconception about VPLS support on Juniper Fast Ethernet PICs. Here is a little quick workaround running VPLS on Juniper's "PE-4FE-TX and PB-4FE-TX" PICs. This setup requires MPLS LSPs between PEs...

  

 Interface Configuration:

jahil@jahil-re0> show configuration interfaces fe-0/0/2 
vlan-tagging;
speed 100m;
link-mode full-duplex;
encapsulation vlan-vpls;
fastether-options {
    loopback;
}
unit 512 {
    encapsulation vlan-vpls;
    vlan-id 512;
    family vpls;
}

jahil@jahil-re0>

 

BGP Configuration: 


jahil@jahil-re0> show configuration protocols bgp |display inheritance
group jahil-ibgp {
  
    type internal;
    multihop;
    local-address 10.1.1.3;
       family l2vpn {
        signaling;
    }
    authentication-key "Hey I'm TCP-MD5 option to secure a bgp session for you but Cisco's PIX does not like me ( by default :) )";
    neighbor 10.1.1.1;
}

jahil@jahil-re0>

 

VPLS routing instance Configuration: 


jahil@jahil-re0> show configuration routing-instances BGP-VPLS
instance-type vpls;
interface fe-0/0/2.512;
vrf-target target:65000:2;
protocols {
    vpls {
        site-range 10;
        mac-table-size {
            6000;
        }
        site green {
            site-identifier 3;
            interface fe-0/0/2.512;
        }
    }
}

jahil@jahil-re0>

 

If you don't have Juniper's AS PIC then use "no-tunnel-services" under routing-instance whatever protocol vpls ...

[edit routing-instances] BGP-VPLS { protocols { vpls { no-tunnel-services; } } }

 

Note: The following interface types do not support the use of LSI interfaces with VPLS:

  • Aggregated SONET/SDH interfaces (cannot be used as the core-facing interface)
  • Channelized interfaces (cannot be used as the core-facing interface)
  • ATM1 interfaces

This will not be like Gig PIC IQ or IQ2. You can't take advantage of lovley Juniper's flexible-ethernet-services.

Posted Wednesday, February 04, 2009 1:20 AM by jahil | 0 Comments

Filed under: , ,

A small love story about Routerboard

RouterBoard makes a complete line of devices that pound-for-pound beat Cisco/Juniper/Nortel/Extreme on features at a much lower price-point. I've been using Cisco/Juniper/Nortel devices for years now and after some seriously productivity killing bugs in their IOS / firewall OS, I would suggest to small companies, that replacing your VPN node (IPIP, GRE, MPLS VPN and VPLS) with RouterBoard is not bad.

 

routerboard 


The RouterBoard 493 with high-power WiFi radio is only $250. Leave out the WiFi and it's down to $163.

http://www.roc-noc.com/product.php?productid=107&cat=4&page=1

Roc-Noc sells the complete system with case and power supply, but it starts with a raw board which you can read more about at http://routerboard.com/ and MikroTik (the company behind it all, and developer of the RouterOS that runs on the devices) at http://MikroTik.com/

All this may sound like I'm a shill for MikroTik, but naw...just a happy fan of their work.

Posted Thursday, January 29, 2009 3:13 AM by jahil | 2 Comments

Filed under: , , ,

IGP competition ISIS or OSPF

I understand that this question is a lot more complex than a simple yes or no since factors like design and routing policy will certainly affect the protocols behavior. It's really difficult to decide and get information on what the top network service providers are using for their IGP? I'm trying to build a case for switching from OSPF to IS-IS and here are my findings:

• In OSPF all areas must be directly linked to area 0, and the backbone area must also not be segmented.
• With IS-IS, the backbone area can be more easily extended since all L2 routers need not be linked directly together.
• With regard to CPU use and the processing of routing updates, IS-IS is more efficient than OSPF.
• In IS-IS, one LSP is sent per IS-IS router in each area (including redistributed prefixes [routes]), compared to the many OSPF LSAs that would be sent.
• Not only are there fewer LSPs to process, but the mechanism by which IS-IS installs and withdraws prefixes is less processor intensive.
• In IS-IS, the entire SPF table is not refreshed periodically like OSPF, which does so every 30 minutes by default.
• L2 routers are similar to OSPF backbone routers, and the set of L2 routers (including L1/L2 routers) and their interconnecting links make up the IS-IS backbone, similar to area 0 in an OSPF network.

• Some routers, called L1/L2 routers, belong to both area types.
• Unlike OSPF, IS-IS routers are not required to be connected to a contiguous backbone area. In fact, the backbone area can also be segmented in IS-IS.
• IS-IS uses the concepts of router levels, which is similar to OSPF areas. L2 routers are similar to OSPF backbone routers, and L1/L2 routers are analogous to OSPF ABRs.
• With IS-IS, there is no restriction that all backbone routers (level 2 routers) be contiguous such as the backbone area of OSPF.

Reference: Jeff Doyle, “Routing TCP IP”

Posted Thursday, January 22, 2009 5:28 PM by jahil | 2 Comments

Filed under: , , ,

JUNOS BGP 'apply-path'

JUNOS provide very flexible filtering options and support a rich variety of sources besides the usual AS Path, neighbor IP, Port and Prefix-list. Today we will talk about BGP. What do you know about BGP securing BGP session? Instead you can simple block access to the configured BGP neighbors you can use JUNOS apply-path command.

Since BGP traffic should be from configured peers only, the apply-path command is used to avoid any IP change issues or neighbor additions that may happen in the future. The apply-path allows configuration elements to be matched when the prefix-list is applied by u sing regular expressions. In this case, this will create a list of BGP peers for every BGP group configured due to the match all * regular expression.


prefix-list bgp-confiugred-peers {
apply-path "protocol bgp group <*> neighbor <*>";
}

Posted Sunday, January 18, 2009 7:05 PM by jahil | 0 Comments

Filed under: ,